The HIPAA Security Rule got its first overhaul in more than two decades. If you are a health-tech SaaS team running on the 2003 framework, several protections that were formerly addressable—meaning you could substitute equivalent alternatives with documentation—are now required. The mandatory controls land in stages, and the implementation window is tighter than most teams realize.
From addressable to required: what actually changed
The original 2003 rule split Security Rule standards into two tiers: "required," which you must implement as written, and "addressable," which you must implement or document why a reasonable alternative is sufficient. That flexibility served its purpose in a world of on-premise hospital systems. It was not designed for cloud-native SaaS teams handling ePHI across multi-tenant infrastructure.
The 2026 update elevates several formerly addressable standards to required status [source: https://www.hipaajournal.com/hipaa-updates-hipaa-changes/]:
Multi-factor authentication is no longer a judgment call. Every workforce member who accesses systems that create, receive, maintain, or transmit ePHI must authenticate with MFA. No alternative implementation is acceptable—you either have it or you do not. Encryption of ePHI at rest moves from addressable to required. This closes the most common gap where teams documented that their environment made encryption impractical or that access controls compensated. That path is gone. Audit log retention now has a defined minimum period attached to it. Previously, the rule required audit controls but left retention periods to organizational discretion. The update specifies what qualifies [source: https://www.hipaajournal.com/new-hipaa-regulations/]. Network segmentation is a new addition. Systems handling ePHI must be isolated from general corporate infrastructure. For multi-tenant SaaS products, this has direct architectural consequences—it is not a policy change you can address with a configuration toggle.Five risk assessment components the rule now mandates
The 2026 rule tightens the risk assessment standard beyond the broad "accurate and thorough assessment" language of the original rule. Minimum documented components now include [source: https://www.cbiz.com/insights/article/5-hipaa-security-rule-changes-in-2026-and-how-to-prepare]:
If your current risk assessment is a template filled in annually with minimal updates, it is likely non-compliant with the new standard regardless of how sound your actual controls are.
What the 240-day window means in practice
HHS set a 240-day implementation window from the effective date of the final rule [source: https://www.elisity.com/blog/hipaa-security-rule-2026-240-days]. That sounds substantial. It is not, if you have network segmentation to implement.
Network segmentation for multi-tenant SaaS products is not a weekend project. You need to map every ePHI flow, model the segmentation boundaries, design the implementation without breaking application access patterns, test in a non-production environment, and roll out in stages. Teams that try to compress this get either a failed implementation or a compliance gap they cannot document their way out of.
MFA and encryption at rest, by contrast, can often be implemented quickly if you are on AWS, Azure, or GCP—each offers native controls that, when correctly configured, satisfy the requirements. The risk is misconfiguration: partial MFA rollout that leaves service accounts uncovered, or encryption enabled on the primary database but not on backups or data archives.
A practical sequencing approach:
- First 30 days: Asset inventory and ePHI data flow mapping. Nothing else is properly scopeable without this.
- Days 30–60: Gap assessment against the required vs. addressable changes. Document what exists, what is absent, and what needs architectural work.
- Days 60–120: MFA enforcement and encryption at rest. These should move quickly on cloud infrastructure.
- Days 120–200: Network segmentation design, test, and rollout.
- Days 200–240: Evidence packaging—audit log configuration records, MFA enrollment reports, encryption status exports, updated risk assessment with all five documented components, updated BA agreements.
What auditors will test in the first cycle
Auditors under the new rule will be looking at completeness, not just existence. "We have MFA" is not the same as "we can demonstrate MFA is enforced across every role with ePHI access, with no gaps." The difference shows up in findings.
Expect scrutiny on [source: https://www.hipaajournal.com/hipaa-updates-hipaa-changes/]:
- MFA coverage: Can you show enforcement across all roles, including privileged accounts and service accounts where applicable? One gap is a finding.
- Encryption configuration: Not the policy document—the configuration exports, key management documentation, and evidence covering backups and non-obvious storage such as search indexes, temporary files, and message queues.
- Risk assessment structure: Auditors will walk your risk assessment against the five-component checklist. An assessment that passed in 2025 may not satisfy the new standard.
- Business associate agreement currency: BA agreements must reflect the updated required controls. Agreements drafted against the old addressable framework are likely out of date.
Building an evidence-ready posture before the audit clock starts
Minimum evidence set for the 2026 Security Rule:
- MFA configuration export scoped to all ePHI-handling systems and roles
- Encryption at rest status report covering every data store, backup, and archive destination
- Network segmentation architecture diagram with ePHI flows annotated
- Audit log retention configuration demonstrating compliant retention periods
- Risk assessment with the five required documented components, reviewed and signed off
- Updated BA agreements executed after the effective date
Mapping updated HIPAA mandatory controls to your existing risk program takes time that rarely exists between product cycles. CloudAnzen continuously monitors your ePHI-handling systems against the updated Security Rule requirements and surfaces evidence gaps before your auditor does. Talk to us.